Event ID - 14

Event Id14
SourceMicrosoft-Windows-Kerberos-Key-Distribution-Center
DescriptionWhile processing an AS request for target service %1, the account %2 did not have a suitable key for generating a Kerberos ticket (the missing key has an ID of %3). The requested etypes : %4. The accounts available etypes : %5. Changing or resetting the password of %6 will generate a proper key.
Event Information According to Microsoft :

Cause :

This event is logged when the account did not have a suitable key for generating a Kerberos ticket.

Resolution :

Change the account password

To resolve this issue, you must reset the password of the user account referenced in the event log message. If the referenced user account is the service account for the Kerberos Key Distribution Center (KDC), use the section named "Reset the password of the KDC service account." Otherwise, use the section named "Reset the password of the user account by using Active Directory Users and Computers."

To perform these procedures, you must be a member of the Domain Admins group, or you must have been delegated the appropriate authority.

Reset the password of the user account by using Active Directory Users and Computers

To reset the password of the user account by using Active Directory Users and Computers:
  1. Log on to a computer that has Active Directory Users and Computers installed. It is installed by default on a domain controller.
  2. Click Start , point to Administrative Tools , and then click Active Directory Users and Computers .
  3. Navigate to the organizational unit where the user account is stored. By default, this organizational unit is named Users .
  4. Right-click the user account, and then click Reset Password .
  5. In the New password box, type the new password.
  6. In the Confirm Password box, retype the password.
  7. Select the User must change password at next logon check box, and then click OK .
  8. Close Active Directory Users and Computers.
Reset the password of the KDC service account
You must reset the krbtgt account password by using Active Directory Users and Computers and then update the service account password information in the properties of the Kerberos KDC service.

To reset the krbtgt account password by using Active Directory Users and Computers:
  1. Log on to a computer that has Active Directory Users and Computers installed. It is installed by default on a domain controller.
  2. Click Start , point to Administrative Tools , and then click Active Directory Users and Computers .
  3. Navigate to the organizational unit where the KDC service account is stored. By default, this organizational unit is named Users .
  4. Right-click the user account, and then click Reset Password .
  5. In the New password box, type the new password.
  6. n the Confirm Password box, retype the password.
  7. Select the User must change password at next logon check box, and then click OK .
  8. Close Active Directory Users and Computers.
  9. Use the section named "Update the service account password information and restart the service" to update the password information in the properties of the Kerberos KDC service.
Update the service account password information and restart the service

To update the service account password information in the properties of the Kerberos KDC service:
  1. Log on to the domain controller in which the issue is occurring.
  2. Click Start , point to Administrative Tools , and then click Services .
  3. Right-click Kerberos Key Distribution Center , and then click Properties .
  4. Click the Log On tab.
  5. In the Password and Confirm password boxes, type the new password, and then click OK .
  6. Right-click Kerberos Key Distribution Center , and then click Restart .
  7. Close the Services snap-in console.
Verify :

A valid Kerberos key is required to get a Kerberos ticket from the Kerberos Key Distribution Center (KDC). To verify that the Kerberos keys are valid and functioning correctly, you should ensure that a Kerberos ticket was received from the KDC and cached on the local computer. You can view cached Kerberos tickets on the local computer by using the Klist command-line tool.
Note : Klist.exe is not included with Windows Vista, Windows Server 2003, Windows XP, or Windows 2000. You must download and install the Windows Server Resource Kit before you can use Klist.exe.
To view cached Kerberos tickets by using Klist:
  1. Log on to a Kerberos client computer within your domain.
  2. Click Start , point to All Programs , click Accessories , and then click Command Prompt .
  3. Type klist tickets , and then press ENTER.
  4. Verify that a cached Kerberos ticket is available.
    • Ensure that the Client field displays the client on which you are running Klist.
    • Ensure that the Server field displays the domain in which you are connecting.
  5. Close the command prompt.
Reference LinksEvent ID 14 from Microsoft-Windows-Kerberos-Key-Distribution-Center

Catch threats immediately

We work side-by-side with you to rapidly detect cyberthreats
and thwart attacks before they cause damage.

See what we caught

Did this information help you to resolve the problem?

Yes: My problem was resolved.
No: The information was not helpful / Partially helpful.
 Refresh